How is it in fairy tales? In a certain kingdom, in a certain state, a large energy company lived-there was a princess Nesmeyana. And the Nightingale-robber cyber villain got into the habit of throwing stones with phishing letters with malware. “A typical situation,” you say. And you can’t argue. In our age of cool information security solutions, having physical and software protection of the circuit, using DLP, SIEM, antivirus and other information security systems, businesses often remain completely defenseless due to employees opening phishing emails. And yet – not everything is so bad. Statistics show that over the past seven years, interest in cyber awareness products (Security awareness, SA) has been growing on the Russian market, on average, by 50% year on year. The editors of CISOCLUB talked with Igor Tyukachev, Head of the Business Development Department of Axoft Information Security products, about how SA helps businesses not to become victims of intruders, how to prepare employees for cyber attacks and, in general, about the search for the “magic pill”.
Prevention is our everything!
According to various estimates of research centers, 80% of cyberattacks begin with mail. There are different solutions for mail protection – anti-phishing, sandboxes, but, as practice shows, this is not enough. “Instead of treating the disease, it is better to prevent it,” doctors say. It is necessary to carry out prevention! In order to increase the effectiveness of information security measures, it is necessary to involve employees, train them and raise their awareness of the capabilities of intruders.
People are the weakest link
Especially with the current development of social networks, digital footprints left and merged databases with information about people. Now you don’t even need to spend money on searching for information – periodically there are services where you can find out by phone number:
— addresses and amounts of orders from the food delivery service;
— if there is a car – its make, number and insurance data, whether there were accidents or not;
— links to social networks, as well as, in some cases, a password from them;
— which banks have accounts, plastic cards.
Based on this information, after enriching with data from the social.you can also create a portrait of the “target”, the circle of his acquaintances, places of rest, interests, etc. And prepare the “right letter”.
Attackers also make fan mailings, in the hope that they will pass all means of protection and the user will click on the link or open the attached file. And thereby launch malware or otherwise cause an attack. Thus, it becomes clear that employees need to be trained. But, as we know, the theoretical knowledge gained is very quickly forgotten if it is not applied in practice. Therefore, the main question is how to build a regular inspection process in order to understand which of the employees is the “weakest link” and requires retraining.
There is a solution – Security awareness
SA is a good tool that will help the Information Security Department to increase the level of cyber awareness of employees, reduce the risks that can be implemented through them.
TOP problems that companies most often face:
Employees are silent about information security incidents (they are afraid/ do not know how to report them).
Social engineering and phishing as a particular example: an employee is the weakest link through which attackers penetrate the company network.
Lack of regular work with employees to prevent repeated incidents.
Identifying employees who are difficult to train or who sabotage training.
Just 4 steps to cyber Awareness
Here is how, for example, the domestic Phishman SA platform solves these issues, which companies choose for:
– autonomy (can work in a closed loop),
– good training materials and their customization to the needs of customers,
– automation of the cyber awareness process based on events from external systems (DLP, antivirus, SOAR, etc.):
Collecting information. This includes test phishing (sites, attachments, forms), flash drives with special files, and information from external systems. In general, all the information necessary to collect a user profile and understand where and what mistakes he makes.
Directing the user to a course that will enhance the missing skill. This can be a course on creating passwords, or a course on the basics of information security, or a course on countering phishing. There are fifteen of them in total.
During the course, as well as at the end of the training, the user passes verification tasks and a test to assess the assimilation of the information passed. The platform evaluates the user’s reaction to phishing – to supplement statistics.
The work that the user does not see is automation based on scripts and rules. As an example: the user inserts a flash drive for the third time in a month, the SA-product sees this through an antivirus (even if the flash drive is blocked) and sends the user (via a message in the mail) to a course on working with external drives.
In search of the “magic pill”. Or is it all about the complex
Of course, none of the information security solutions is a panacea or a magic pill for all problems. Information security is a set of organizational and technical measures, so the SA solution should be considered only as part of a comprehensive protection. Is Security awareness sufficient to provide an awareness-raising and training process? No, not enough. The IB director needs to form a set of activities. And the ways of communicating information should be different: seminars, trainings, multimedia courses, newsletters, security bulletins, posters, etc. These can be screensavers on computer screens with the inscription – “When leaving, lock the computer.” That is, the options for training and awareness–raising should be different, since all people are different and react differently to different training formats.